Fix Omniauth CSRF (CVE-2015-9284)

Gemfile

@@ -94,6 +94,12 @@ gem 'interactor', '~> 3.1'
 # A generalized Rack framework for multiple-provider authentication.
 gem 'omniauth', '~> 1.9'
 
+# This gem provides a mitigation against CVE-2015-9284 (Cross-Site Request
+# Forgery on the request phrase when using OmniAuth gem with a Ruby on Rails
+# application) by implementing a CSRF token verifier that directly utilize
+# `ActionController::RequestForgeryProtection` code from Rails.
+gem 'omniauth-rails_csrf_protection', '~> 0.1'
+
 # Official OmniAuth strategy for GitHub.
 gem 'omniauth-github', '~> 1.3'
 

Gemfile.lock

@@ -239,6 +239,9 @@ GEM
     omniauth-oauth2 (1.6.0)
       oauth2 (~> 1.1)
       omniauth (~> 1.9)
+    omniauth-rails_csrf_protection (0.1.2)
+      actionpack (>= 4.2)
+      omniauth (>= 1.3.1)
     orm_adapter (0.5.0)
     parallel (1.17.0)
     parser (2.6.3.0)
@@ -474,6 +477,7 @@ DEPENDENCIES
   listen (>= 3.0.5, < 3.2)
   omniauth (~> 1.9)
   omniauth-github (~> 1.3)
+  omniauth-rails_csrf_protection (~> 0.1)
   pg (>= 0.18, < 2.0)
   pry-doc (~> 1.0)
   pry-rails (~> 0.3)

app/views/users/shared/_links.html.erb

@@ -19,7 +19,7 @@
 
 <%- if display_omniauth_links? %>
   <%- resource_class.omniauth_providers.each do |provider| %>
-    <%= link_to translate('.sign_in_with_provider', provider: OmniAuth::Utils.camelize(provider)), omniauth_authorize_path(resource_name, provider) %>
+    <%= link_to translate('.sign_in_with_provider', provider: OmniAuth::Utils.camelize(provider)), omniauth_authorize_path(resource_name, provider), method: :post %>
     <br/>
   <% end -%>
 <% end -%>